CVE-2025-66312 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Grav CMS admin plugin, specifically affecting versions prior to 1.11.0-beta.1. The vulnerability exists in the /admin/accounts/groups/Grupo endpoint, where the data[readableName] parameter does not properly neutralize user input during web page generation, classified under CWE-79. An attacker with authenticated access can inject malicious JavaScript code into this parameter, which is then stored persistently on the server. Whenever a user accesses the affected page, the malicious script executes in their browser context, potentially leading to session hijacking, credential theft, or unauthorized actions within the CMS. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:H indicates high privileges required, but the vector states PR:H, meaning privileges are required), user interaction is required (UI:A), and low impact on confidentiality and integrity but no impact on availability. The vulnerability is mitigated in version 1.11.0-beta.1 of Grav. No public exploits have been reported yet, but the stored nature of the XSS increases the risk of widespread impact once exploited. This vulnerability is particularly critical in administrative interfaces where elevated privileges can amplify the damage caused by XSS attacks.

For European organizations using Grav CMS versions prior to 1.11.0-beta.1, this vulnerability poses a significant risk to the confidentiality and integrity of administrative sessions and data. Attackers who gain authenticated access can inject persistent malicious scripts, potentially leading to session hijacking, unauthorized content modification, or deployment of further attacks such as phishing or malware distribution within the CMS environment. This can result in reputational damage, data breaches, and operational disruptions. Since Grav is used by various organizations for website and content management, including government, educational, and private sectors, exploitation could compromise sensitive information or disrupt public-facing services. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially in environments with weak credential management or insider threats. The medium CVSS score reflects moderate severity but the stored nature and administrative context elevate the potential impact.

1. Upgrade all Grav CMS installations to version 1.11.0-beta.1 or later immediately to apply the official fix. 2. Implement strict input validation and sanitization on all user-supplied data, especially in administrative interfaces, to prevent injection of malicious scripts. 3. Deploy Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. 4. Enforce strong authentication mechanisms, including multi-factor authentication (MFA), to reduce risk of unauthorized access. 5. Regularly audit and monitor administrative accounts and logs for suspicious activities indicative of exploitation attempts. 6. Educate administrators and developers about secure coding practices and the risks of XSS vulnerabilities. 7. Consider isolating administrative interfaces behind VPNs or IP whitelisting to limit exposure. 8. Conduct penetration testing focused on XSS and input validation in Grav environments to identify residual risks.